IlohaMail index.php session Parameter Arbitrary File Access

medium Nessus Plugin ID 14631

Synopsis

The remote web server is hosting a PHP script that is affected by an information disclosure vulnerability.

Description

The target is running at least one instance of IlohaMail version 0.7.11 or earlier. Such versions contain a flaw in the processing of the session variable that allows an unauthenticated attacker to retrieve arbitrary files available to the web user, provided the filesystem backend is in use.

Solution

Upgrade to IlohaMail version 0.7.12 or later.

See Also

http://www.nessus.org/u?70b46336

http://www.nessus.org/u?066bde18

Plugin Details

Severity: Medium

ID: 14631

File Name: ilohamail_arbitrary_file_access_via_session.nasl

Version: 1.12

Type: remote

Family: CGI abuses

Published: 9/2/2004

Updated: 8/15/2022

Supported Sensors: Nessus

Vulnerability Information

Vulnerability Publication Date: 3/4/2003